virtual organization membership service extension (vox)
DESCRIPTION
Virtual Organization Membership Service eXtension (VOX). Ian Fisk On behalf of the VOX Project Fermilab. Richard Baker (BNL) Lothar Bauderick (Fermilab) Eileen Berman (Fermilab) Gabriele Carcassi (BNL) Ian Fisk (Fermilab) Robert Gardner (University of Chicago) Gregory Graham (Fermilab) - PowerPoint PPT PresentationTRANSCRIPT
Virtual Organization Membership Service eXtension
(VOX)
Ian Fisk
On behalf of the VOX Project
Fermilab
09/29/2004 CHEP 2004 2
Authors and contributors
Richard Baker (BNL)
Lothar Bauderick (Fermilab)
Eileen Berman (Fermilab)
Gabriele Carcassi (BNL)
Ian Fisk (Fermilab)
Robert Gardner (University of Chicago)
Gregory Graham (Fermilab)
Leigh Grundhoefer (University of Indiana)
Anne Heavey (Fermilab)
Joe Kaiser (Fermilab)
Tanya Levshina (Fermilab)
Ruth Pordes (Fermilab)
Vijay Sekhri (Fermilab)
Dane Skow (Fermilab)
John Weigand (Fermilab)
Yujun Wu (Fermilab)
09/29/2004 CHEP 2004 3
Presentation overview
• Introduction• Stakeholders and collaborators• VO Management Infrastructure at Fermilab• VO Membership Registration Service• Identifying the workflow• VO Concepts• VO Roles• VOMRS Architecture• WEBUI Screenshots• What’s next?• Summary
09/29/2004 CHEP 2004 4
Introduction
US CMS, SDSS, and iVDGL have sponsored an effort at Fermilab,
the VOX Project (VO Management Service eXtension), to
investigate and implement the requirements, both policy-related
and technical, for admitting collaborators into a VO, and facilitating
and monitoring their authorization to access the available grid
resources.
This effort has resulted in a study and understanding of the
necessary workflow, and the creation of a prototype
VO Membership Registration Service (VOMRS), which is a
principal component of the VOX project.
09/29/2004 CHEP 2004 5
Stakeholders and Collaborators
• Stakeholders:– US CMS – Fermilab Computing Facility – iVDGL – SDSS
• Collaborators– BNL – VOMRS architecture, registration process, common
interfaces – EGEE(EDG)/DataTag – VOMS core and admin software– VDT (U of Wisconsin), Virginia Tech - ongoing communication and
agreements with Globus on gatekeeper and authorization callouts
09/29/2004 CHEP 2004 6
VO Management Infrastructureat Fermilab (I)
VOX Project
PrivilegeProject
VOMSProject
VOMS Admin and Core
Services
SAZ
GUMS
VOMRS
Fermilab Grid Cluster
Gatekeeper &PRIMA module
Local CenterRegistrationService
registervoms-proxy-init
synchronize
proxy certificate
authorize
authorize
authenticate
09/29/2004 CHEP 2004 7
VO Management Infrastructureat Fermilab (II)
VOX Project:• VOMRS (VO Membership Registration Service) provides a registration service that
– allows a single point of registration with a VO– facilitates, negotiates and monitors the process of a member’s authorization to grid resources– provides centralized storage of membership information and a means to query said information
• SAZ (Site Authorization Service) allows security authorities of the local site to control access to the site’s resources
VOMS Project:• EGEE (EDG) VOMS Admin service provides centralized storage of member dn,ca, groups
and roles, means to handle this data. • DataTag VOMS Core service gives out extended proxy upon member’s request.
Privilege Project automates and facilitates the process of managing fine grain access to a local grid element:• PRIMA authorization module at the gatekeeper
– elicits information from provided VOMS attributes and other sources– queries a site centralized grid user management server
• GUMS (grid user management) server provides– site-consistent user and group assignment– interfaces and extensions to the data storage systems
09/29/2004 CHEP 2004 8
VOMRS: Identifying the workflow
• Understand that VO registration is a multi-level process (institution, grid site, country, VO).
• Identify necessary elements of the registration procedure and develop a model workflow.
• Identify administrative roles and responsibilities.• Identify various implications of our model on sites
and site policies.• Realize that the implementing technology must be
flexible to accommodate the different levels of policies and requirements and to anticipate ongoing changes.
09/29/2004 CHEP 2004 9
VO Concepts • Grid, VO, Certificate (DN,CA,..), Grid resource, Grid job …• Experiment:
represents research activities that are specific to a particular VO.• Group and group roles:
an experiment contains groups. Group may have sub-groups. Group and group roles are included as attributes in a proxy certificate
• Institution:is an organization whose members participate in experiments within aparticular VO.
• Grid site:is an institution that provides grid resources. Each site has policies that require specific personal information.
• Personal information: private and public data about an individual that is collected by the VO.
• Notification Event:an action taken by the registration software that notifies interested members of a change within the VO and describes any required responses if any.
• Role:defines actions that a VO Member can perform within the VO and information that a VO Member can access. A VO member can have one or more roles. A VO member event notification depends on member’s role.
09/29/2004 CHEP 2004 10
Roles (I)• Applicant:
– An experimenter who belongs to one of the VO institutions and possesses a certificate from one of the VO-approved Certificate Authorities. An applicant has submitted a VO registration form but has not yet been approved.
• Member:– An applicant who has been approved. A member can submit
jobs to the Grid. By default a member is assigned to an experiment wide group.
• VO administrator: – A designated VO member who is in charge of registration and
has access to all information collected by the VO. He is responsible for assigning administrative roles.
09/29/2004 CHEP 2004 11
Roles (II)• Institutional VO representative:
– Vouches for the identity of an applicant.
– Upon registration a member can select a representative from the list of known representatives. The selected representative does not necessarily belong to the member’s institution.
• Grid site administrator:– Assigns/revokes the role of System Administrator or Local
Resource Provider to/from the VO members affiliated with the site
– Administers authorization of VO member to the site. The details are site specific and depends on regulations and policies of each particular site.
• Local resource provider:– Administers authorization a member to use the grid resource (this
could include addition of this member to the gridmapfile, mapping member to local account, etc)
09/29/2004 CHEP 2004 12
Institution
Representative
Registration Flow
Grid Site
Site Admin
LRPS
Site Admin
LRPS
Grid Site
VOMRS EDG VOMS Proxy Server
VO Central Node
synchronize
Applicantregister
notifyapprove
Memberquery
notify approve notify
approve
notify approve
notify approve
09/29/2004 CHEP 2004 13
VOMRS Architecture
ClientIF
Registrar( WorkflowManager)
EventManager
Server
Synchronizer
EDG VOMS ADMIN API
VOMRS DBWeb
Services/Servlets
Web Services/Servlets
CLI
Member
WEBCLIENT
EDG VOMS DB
EDG Trust Manager
GSI
HTTPS/SSL
09/29/2004 CHEP 2004 14
VOMRS WEBUI (Home page, Group page…)
09/29/2004 CHEP 2004 15
VOMRS WEBUI(registration)
USCMS VO Registration
09/29/2004 CHEP 2004 16
VOMRS WEBUI(member search)
09/29/2004 CHEP 2004 17
VOMRS WEBUI (subscribe to event)
Date: Tue, 21 Sep 2004 13:43:20 -0600From: [email protected]: AUTOMATIC NOTIFICATION FROM VOMRS USCMSTo: undisclosed-recipients: ;
Dear Administrator,We have received a request from a person with Distinguished Name/DC=org/DC=doegrids/OU=People/CN=Anne Heavey 995073
issued by Certificate Authority/DC=org/DC=DOEGrids/OU=Certificate Authorities/CN=DOEGrids CA 1
to join VO USCMS. You can check member's personal information.You can approve or deny member's request.
VO Administrator
Notification Event Example:
09/29/2004 CHEP 2004 18
What’s Next?
• Continue collaboration with, BNL, SDSS, ivDGL, LCG User Registration Task Force etc
• Implement multiple new features requested by collaborators:– VO membership expiration and renewal processes
– Email verification
– Interface to organizational human resource database (LCG requirement)
• Continue support for VOMRS instances installed at Fermilab and BNL
• Deploy test installation of VOMRS at CERN
09/29/2004 CHEP 2004 19
Summary
The VO Membership Registration Service that allows grid user to become a member of Virtual Organization has been developed. It provides a flexible mechanism to collect member’s personal data as well as manage registration workflow. Several instances of VOMRS has been deployed at Fermilab and BNL.We greatly appreciate discussions, support and software contributions provided by our collaborators.There are still a lot of features that need to be implemented.• More info:
http://www.uscms.org/s&c/VO
• E-mail:[email protected]